Provisional signature schemes

ABSTRACT

A method and apparatus for implementing portions of a provisional signature scheme are disclosed. In one embodiment, the method comprises creating a provisional signature by performing an operation on a message and completing the provisional signature to create a final signature on the message. Such a scheme may be used for server assisted signature schemes, designated confirmer signature schemes and blind signature schemes.

PRIORITY

This is a divisional of application Ser. No. 11/215,550, filed on Aug.29, 2005, entitled “Provisional Signature Schemes,” and assigned to thecorporate assignee of the present invention and incorporated herein byreference.

FIELD OF THE INVENTION

The present invention relates to the field of cryptography; moreparticularly, the present invention relates to provisional signatureschemes, including provisional signatures to construct server assisteddigital signatures, designated confirmer signatures, and blind signatureschemes.

BACKGROUND OF THE INVENTION

In the area of general digital signatures, the most common signatureschemes are RSA and the U.S. Digital Signature Algorithm over ellipticcurves (ECDSA). The RSA algorithm, with appropriate parameters, can bequite fast at verification, but generating signatures is slow. Further,signatures in RSA are at least one kilobyte in size, making themunsuited for SIM cards or for product registration.

A scheme for “online/offline” digital signatures was proposed by Shamirand Tauman. See A. Shamir & Y. Tauman, “Improved Online-Offine SignatureSchemes,” CRYPTO 2001. Their scheme made use of chameleon hash functionsand introduced the “Hash-Sign-Switch” paradigm that may be used forefficient generation of provisional signatures. They did not, however,consider the application of their scheme to the case of having a serverassist in the process.

In server assisted digital signatures, it is desirable to reduce thecomputational and communication overhead required for a signature byemploying a separate server. This is known as Server Assisted Signatures(SAS). Naturally, one can imagine a number of alternate scenarioswherein efficient digital signatures are desired and some third party isavailable. The issue of reducing signer communication and computation isof immediate practical interest because it allows for more efficientenergy usage and, therefore, longer lifetime for mobile devices. Manypreviously proposed SAS schemes have been found insecure, while othersrequire the signer to communicate a large amount of data per signatureor require the server to store a large amount of state per client.

An example application for SAS is product registration. A signer maywish to dispense an authorization key for a piece of software or for anewly purchased phone. The verifier comprises the software itself, whichis assumed to have connectivity to the server. The authorization keyconsists of a signature on the software itself plus a serial number. Thedigital signature is further typed on a piece of paper or a labelshipped with the software.

Another example application for SAS is UIM cards. A UIM card is a smartcard containing a processor and a small amount of storage. UIM cardsallow the user to maintain a single identity when moving from device todevice, such as from one phone to another or from a phone to a PC. Inaddition, UIM cards are used in FirstPass SSL client authentication,which uses RSA to authenticate a user to a web site. Current UIM cardsrequire special purpose processors to perform RSA digital signatures andmay take up to half a second for each signature. Furthermore, an RSAsecret key takes one kilobyte of space on the UIM card, and so thenumber of keys on the card is limited to five.

Previous solutions to the server-assisted signature problem have severaldrawbacks. A scheme by Beguin and Quisquater was shown to be insecure byNguyen and Stern. Therefore, it cannot be considered for practical use.For more information, see P. Nguyen and J. Stem, “The Beguin-QuisquaterServer-Aided RSA Protocol from Crypto'95 is not Secure,” Asiacrypt 1998and P. Beguin and J. J. Quisquater, “Fast server-aided RSA signaturessecure against active attacks,” CRYPTO 1995. A method by Jakobsson andWetzel appears secure, but is limited to use for only DSA and ECDSA,because signatures are at least 320 bits in size. See M. Jakobsson andS. Wetzel, “Secure Server-Aided Signature Generation,” InternationalWorkshop on Practice and Theory in Public Key Cryptography, 2001.

A scheme by Bicacki and Bayal requires the server to store fivekilobytes per signer per signature. See Bicacki & Bayal, “ServerAssisted Signatures Revisited,” RSA Cryptographers' Track 2003. If therewere, for example, 80 million signers, each of whom produce 10signatures per day, this requires storing roughly 3.7 terabytes per day.The scheme of Goyal addresses this problem and requires 480 bits ofserver storage per signature. See, V. Goyal, “More Efficient ServerAssisted Signatures,” Cryptography Eprint Archive, 2004. With 80 millionsigners, 10 signatures per day, this scheme requires roughly 357gigabytes per day.

Worse, in both schemes, the amount of data the server must storeincreases without bound. This is because the data is kept in case theserver is accused of cheating by some signer. Therefore, the data mustbe kept until the server is sure it cannot be accused of cheating, whichin practice may be months or years. Assuming a “statute of limitations”period of one year, Goyal's scheme requires more than 127 terabytes ofserver storage. If any data is missing and a signature is challenged,the server will be unable to prove it acted correctly.

Another drawback of both the Goyal and the Bicacki-Bayal schemes is thatthe signer must send a public key for a one-time signature to the serverfor each message. With the suggested embodiment of Goyal's paper, thisrequires 26 kilobytes of communication per signature. This largecommunication makes the product registration application infeasible.

Another type of signature is a designated confirmer signature. Indesignated confirmer digital signatures, a signature on a message cannotbe verified without the assistance of a special “designated confirmer.”The signer selects the designated confirmer when the signature isgenerated. The designated confirmer can then take a signature and eitherconfirm that the signature is genuine, or disavow a signature that wasnot actually created by the signer, but the confirmer cannot generateany new signatures. Further, the confirmer can convert a signature intoa regular signature that can be verified by anyone.

An example application of using a designated confirmer is the signing ofelectronic contracts. A job candidate and a potential employer maynegotiate an employment contract without being physically present in thesame room. The employer would prefer that the employee not use thecontract as a bargaining tool with other prospective employers.Therefore, the employer can sign using a designated confirmer signatureand designate a court of law as the confirmer. That way, if a disputearises, the signature can be verified, but the signature cannot beverified in the meantime by other employers. After both parties havefinalized the contract, the signature can be converted to a regularsignature.

Another example application for use of a designated confirmer is theverification of software patches. A software vendor may wish to restrictsoftware patches only to users who have properly paid for software. Onemethod of accomplishing this restriction is to sign patches with adesignated confirmer signature scheme and provide confirmation only toregistered users. Unregistered users cannot verify the signature and runthe risk of installing compromised software patches.

Most previous implementations of designated confirmer digital signaturesuse special-purpose properties of algorithms such as RSA. If thesespecific algorithms are found insecure, then these schemes are alsoinsecure. Goldwasser and Waisbard showed how to convert several existingsignature schemes into designated confirmer signature schemes. See, S.Golwasser and E. Waisbard, “Transformation of Digital Signature Schemesinto Designated Confirmer Signature Schemes,” Theory of CryptographyConference, 2004.

Another type of signature is a blind signature. In blind digitalsignatures, the signer signs a “blinded” version X of the message M. Theblinded version X is generated with the aid of a blinding factor r. Ablinder wishes to obtain a signature on a message M without revealing Mto the signer. This is achieved by the blinded asking the signer to signa message X, which is the “blinded version” of M. After signing, thesignature can be “unblinded” using the blinding factor to obtain asignature on M. Without the blinding factor, it is infeasible to link asignature on the blinded message X with a signature on the un-blindedmessage M. From the signature on X, the blinder can then recover asignature on M. The signature on X as the “provisional signature,” andthe signature on M as the “final signature.”

An example application of blind signatures is unlinkable electronic cashtokens. Our goal is to enhance user privacy by ensuring not even thebank can track different transactions. The user creates a token for acertain denomination and then blinds the token. The bank signs theblinded token and returns it to the user, who unblinds to obtain thebank's signature on a token. With the token and bank's signature on thetoken, the user can partake in a financial transaction since a thirdparty can verify the bank's signature. On the other hand, because thebank signed the blinded token, it cannot trace the token back to theuser, hence providing anonymity for the user. To avoid cheating users, acut and choose protocol may be used in which the user generates 100 ormore tokens of the same denomination and the bank asks to see 99 ofthem, chosen randomly, before signing the last token.

SUMMARY OF THE INVENTION

A method and apparatus for implementing portions of a provisionalsignature scheme are disclosed. In one embodiment, the method comprisescreating a provisional signature by performing an operation on a messageand completing the provisional signature to create a final signature onthe message. Such a scheme may be used for server assisted signatureschemes, designated confirmer signature schemes and blind signatureschemes.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention will be understood more fully from the detaileddescription given below and from the accompanying drawings of variousembodiments of the invention, which, however, should not be taken tolimit the invention to the specific embodiments, but are for explanationand understanding only.

FIG. 1 is a flow diagram of one embodiment of a provisional signatureprocess.

FIG. 2 is a flow diagram of one embodiment of a verifier process;

FIG. 3 illustrates of one embodiment of a signer, server, or verifiercomponent.

FIG. 4 illustrates an exemplary computer system.

FIG. 5 is a flow diagram of one embodiment of a process for serverassisted key generation.

FIG. 6 is a flow diagram of one embodiment of a process for provisionalsigning in a server assisted key generation scheme.

FIG. 7 is flow diagram of one embodiment of a process for completing aprovisional signature in a server-assisted signature scheme.

FIG. 8 is a flow diagram of one embodiment of a process for verifying afinal signature in a server-assisted signature scheme.

FIG. 9 is a flow diagram of one embodiment of a process generating keysfor a designated confirmer signatures scheme.

FIG. 10 is a flow diagram of one embodiment of a process for generatingkeys for a designated confirmer signature scheme.

FIG. 11 is a flow diagram of one embodiment of a process forconfirmation for a designated confirmer signature scheme.

FIG. 12 is a flow diagram of one embodiment of a process for disavowalfor a designated confirmer signature scheme.

FIG. 13 is a flow diagram of one embodiment of a process for adesignated confirmer signature scheme.

FIG. 14 is a flow diagram of one embodiment of a process forverification of final signature for a designated confirmer signaturescheme.

FIG. 15 is a flow diagram of one embodiment of a process for a keygeneration for blind signature scheme.

FIG. 16 is a flow diagram of one embodiment of a process for provisionalgeneration for a blind signature scheme.

FIG. 17 is a flow diagram of one embodiment of a process for completionof a blind signature.

FIG. 18 is a flow diagram of one embodiment of a process forverification of a blind signature.

FIG. 19 is a flow diagram of one embodiment of a process forpre-computating a chameleon hash function.

FIG. 20 is a flow diagram of one embodiment of a process for certifyingpre-computed values for verification of a chameleon hash function.

FIG. 21 is a flow diagram of one embodiment of a process for verifyingpre-computed values for verification of a chameleon hash function.

FIG. 22 is a flow diagram of one embodiment of a process for checking achameleon hash using pre-computed values for verification of thechameleon hash function.

DETAILED DESCRIPTION OF THE PRESENT INVENTION

Provisional signature schemes are described. Specifically, the signerproduces “provisional signatures” that are converted to “finalsignatures” by a third party server. These final signatures can then beverified by a verifier. In one embodiment, to compensate to thepossibility that the third party server could be compromised ormalfunctioning, the server cannot sign documents on its own but onlyconvert provisional signatures created by the signer. In one embodiment,the server performs little computation and stores only a small amount ofdata per signature, so that the server may scale to handle a largenumber of signers.

The provisional signature schemes include server assisted signatureschemes, designated confirmer signature schemes, and blind signatureschemes. In one embodiment, the server assisted signatures is used inproduct registration and in reducing the computational load on a device.In one embodiment, the designated confirmer signature schemes are usedfor fair exchange of digital contracts. In one embodiment, the blindsignature schemes are used to create anonymous electronic cash.

Embodiments of the present invention include schemes for secure serverassisted signatures that are efficient with respect to the computationrequirements of the signer, server and verifier, as well as thebandwidth requirements of the channels over which these partiescommunicate. In one embodiment of the present invention, the scheme hasa communication complexity of the signer of only 160 bits per signature,which is an order of magnitude improvement over previous SAS schemes.

In one embodiment, the SAS method described herein for use with UIMcards requires only 128 bits of space for each secret key, and it allowsfast signatures without use of special purpose co-processors.

In the following description, numerous details are set forth to providea more thorough explanation of the present invention. It will beapparent, however, to one skilled in the art, that the present inventionmay be practiced without these specific details. In other instances,well-known structures and devices are shown in block diagram form,rather than in detail, in order to avoid obscuring the presentinvention.

Some portions of the detailed descriptions which follow are presented interms of algorithms and symbolic representations of operations on databits within a computer memory. These algorithmic descriptions andrepresentations are the means used by those skilled in the dataprocessing arts to most effectively convey the substance of their workto others skilled in the art. An algorithm is here, and generally,conceived to be a self-consistent sequence of steps leading to a desiredresult. The steps are those requiring physical manipulations of physicalquantities. Usually, though not necessarily, these quantities take theform of electrical or magnetic signals capable of being stored,transferred, combined, compared, and otherwise manipulated. It hasproven convenient at times, principally for reasons of common usage, torefer to these signals as bits, values, elements, symbols, characters,terms, numbers, or the like.

It should be borne in mind, however, that all of these and similar termsare to be associated with the appropriate physical quantities and aremerely convenient labels applied to these quantities. Unlessspecifically stated otherwise as apparent from the following discussion,it is appreciated that throughout the description, discussions utilizingterms such as “processing” or “computing” or “calculating” or“determining” or “displaying” or the like, refer to the action andprocesses of a computer system, or similar electronic computing device,that manipulates and transforms data represented as physical(electronic) quantities within the computer system's registers andmemories into other data similarly represented as physical quantitieswithin the computer system memories or registers or other suchinformation storage, transmission or display devices.

The present invention also relates to apparatus for performing theoperations herein. This apparatus may be specially constructed for therequired purposes, or it may comprise a general purpose computerselectively activated or reconfigured by a computer program stored inthe computer. Such a computer program may be stored in a computerreadable storage medium, such as, but is not limited to, any type ofdisk including floppy disks, optical disks, CD-ROMs, andmagnetic-optical disks, read-only memories (ROMs), random accessmemories (RAMs), EPROMs, EEPROMs, magnetic or optical cards, or any typeof media suitable for storing electronic instructions, and each coupledto a computer system bus.

The algorithms and displays presented herein are not inherently relatedto any particular computer or other apparatus. Various general purposesystems may be used with programs in accordance with the teachingsherein, or it may prove convenient to construct more specializedapparatus to perform the required method steps. The required structurefor a variety of these systems will appear from the description below.In addition, the present invention is not described with reference toany particular programming language. It will be appreciated that avariety of programming languages may be used to implement the teachingsof the invention as described herein.

A machine-readable medium includes any mechanism for storing ortransmitting information in a form readable by a machine (e.g., acomputer). For example, a machine-readable medium includes read onlymemory (“ROM”); random access memory (“RAM”); magnetic disk storagemedia; optical storage media; flash memory devices; electrical, optical,acoustical or other form of propagated signals (e.g., carrier waves,infrared signals, digital signals, etc.); etc.

Definitions and Assumptions

For purposes herein, a function f(n) is negligible if for any polynomialfunction q(n), there is a value n₀ such that for all n>n₀, it holds thatf(n)<1/q(n). One example of such a negligible function is f(n)=½^(n).

If a and b are two integers with a≦b, [a, b] denotes the set of integersbetween a and b inclusive. That is, [a, b]={cεZ|a≦c≦b}.

If S is a set of elements, and D is a sample-able probabilitydistribution on S, the process of picking an element s from S accordingto the distribution D is denoted by

It is known to one of ordinary skill in the art that the security ofmany cryptographic techniques relies upon making certain computationalintractability assumptions. For example, one may try to prove that acryptosystem is secure so long as it is difficult to decompose aspecific number into its prime factors efficiently. The term“computational” is often used to identify this class of cryptographictechniques. In one embodiment, a set of assumptions relevant to provingthe security of the embodiments of the present invention describedherein are described below.

The Discrete Logarithm Assumption

The discrete logarithm assumption in a group G states that given agenerator g of the group, and given a value y=g^(x), it iscomputationally difficult to obtain x. We will be specificallyinterested in the group of rational points of an elliptic curve. Thisconstitutes a standard mathematical group on which to define thediscrete logarithm problem. For such an elliptic curve group of order q,the best known approaches for finding the discrete logarithm requiretime √{square root over (q)}.

Chameleon Hash Function

A chameleon hash function is a function CH(m, r) defined by a public keyPK_(ch) and a secret key SK_(ch) generated by a probabilistic polynomialtime algorithm G(1^(k)). Given the public key PK_(ch) it is easy toevaluate CH(m, r). Without the secret key, it is hard to find a tuple(m, m′, r, r′) such that CH(m, r)=CH(m′, r′). With the secret key, onthe other hand, it is easy, given m, m′, and r, to find an r′ such thatCH(m, r)=CH(m′, r′).

A specific family of chameleon hash functions is defined for a group Gof order q in which the discrete logarithm assumption holds as follows.The secret key SK_(ch) is a uniform random value x in Z*_(q), while thepublic key is the value h=g^(x). Then defined such that CH(m, r) isCH(m, r)=g^(x)h^(r). For a specific group instance, G is the group ofpoints on an appropriately chosen elliptic curve. By appropriate choicesof parameters, a chameleon hash with outputs 160 bits in length isobtained. Embodiments of the present invention described herein includethe use of this chameleon hash function; however, it will be apparent toanyone with ordinary skill in the art that another chameleon hashfunction could be used.

Pseudo-Random Generator

A pseudo-random generator G takes as input a short random seed of s bitsand outputs a string of k bits where k>s. The output string ispseudo-random in the sense of being indistinguishable from a randomstring.

Bit Commitment Scheme

A bit commitment scheme C(M, r) satisfies the property of beingstatistically hiding and computationally binding. Statistically hidingmeans that no adversary, no matter how powerful, can recover M from C(M,r) without knowledge of r except with negligible probability.Computationally binding means that the commitment C(M, r) cannot beopened to a value M′≠M by any probabilistic polynomial time algorithm.

Overview

FIG. 1 is a flow diagram of one embodiment of a provisional signatureprocess. The process may be performed by processing logic that maycomprise hardware (e.g., circuitry, dedicated logic, etc.), software(such as is run on a general purpose computer system or a dedicatedmachine), or a combination of both.

Referring to FIG. 1, the process begins by processing logic creating aprovisional signature by performing an operation on a message(processing block 101). Next, processing logic completes the provisionalsignature to create a final signature on the message (processing block102). Both processing blocks 101 and 102 may be performed using one or 2secret keys. After the final signature has been completed, processinglogic verifies the final signature (processing block 103).

FIG. 2 is a flow diagram of one embodiment of a verifier process.Referring to FIG. 2, the signature generated through the use of theprovisional signature process described herein is verified by inputtinginto the signature, the message m and a public key into verifier andreceiving an indication (e.g., yes/no) of whether the signature isvalid.

The provisional signature process described herein may be applied toserver assisted signature schemes, designated confirmer schemes andblind signature schemes. Embodiments of these schemes are describedbelow.

An Example System for Server Assisted Signatures

In one embodiment, a system for communicating data between a signer,verifier, and server provides server assisted signatures. The signergenerates provisional signatures and transmits the generated provisionalsignatures over a communications network to a verifier. The verifiertransmits a provisional signature over a communications network to aserver. Subsequently, the verifier receives a final signature from theserver and verifies the resulting final signature. The server convertsthe provisional signature to a final signature and transmits the finalsignature over a communications network to the verifier.

Each of the signer, verifier, and server comprise a component havingprocessing logic that may comprise hardware (e.g., circuitry, dedicatedlogic, etc.), software apparatus (such as is run on a general purposecomputer system or a dedicated machine), or a combination of both. FIG.3 illustrates one embodiment of such a component. Referring to FIG. 3,component 300 includes a processor 301, memory 302 and a networkinterface 303. Processor 301 is coupled to memory 302 and networkinterface 303.

The signer includes processor logic 301 with processing logic to receivea message through an external network interface 303 and apply a methodto create provisional signatures to thereby obtain a provisionalsignature on the message.

The verifier includes processor 301 with processing logic to receive amessage and a final signature through an external network interface 303and to apply a method for verifying signatures to thereby obtainassurance that the message originated with the indicated signer.

The server includes processor 301 with processing logic to transmit tonetwork 304 the output given by a method for converting a provisionalsignature received through an external network interface 303 as an inputas part of a network request into a final signature.

FIG. 5 is a flow diagram of one embodiment of a process for a keygeneration for a server assisted digital signature technique. Theprocess may be performed by processing logic that may comprise hardware(e.g., circuitry, dedicated logic, etc.), software (such as is run on ageneral purpose computer system or a dedicated machine), or acombination of both. In one embodiment, key generation is performed bythe signer.

Referring to FIG. 5, the process begins by processing logic specifying asecurity parameter k and a number of signatures S (processing block501). Next, processing logic produces a random 160-bit elliptic curve,together with a generator point g (processing block 502). There arestandard techniques for selecting a generator. For example, one approachis to pick a random element and see if it happens to be a validgenerator. In one embodiment, this curve and generator are used for allentities in the system. For purposes herein, and as a break withconvention, a group of points over an elliptic curve is notated as amultiplicative group; it will be apparent to one of ordinary skill inthe art how to transfer such notation to the standard additive notation.Note that other elliptic curves could be used (e.g., a 161-bit ellipticcurve, as well as a 1024-bit finite field. In general, the scheme coulduse any algebraic group in which the discrete logarithm is hard, and thegenerator g should come from that group.

After the curve and generator are produced, processing block choosesuniformly two seeds s1 and s2 at random (processing block 503). Next,processing logic generates a sequence of values x_(i), where 1≦i≦S assuccessive outputs of a PRG seeded with the random seed s₁ (processingblock 504) and generates another sequence of values c_(i), 1≦i≦S assuccessive outputs of a PRG seeded with the random seed s₂ (processingblock 505). Once the two sequences are generated, processing logiccalculates a sequence of values h_(i)=g^(xi), where 1≦i≦S (processingblock 506). Then, processing logic computes a key pair for a standardsignature scheme (SK, PK) (processing block 507). The secret key SK isused to create a sequence of S signatures Sig_(i)=Sig((g^(x) ^(i) h_(i)^(c) ^(i) ,h_(i))).

Once the calculations have been completed, processing logic sends theseeds s₁ and s₂ to the signer (processing block 508) and sends thevalues h_(i) and Sig_(i) to the server (processing logic 509). Also,processing logic publishes the public key PK as the signer's public key,together with g and the address of the server.

FIG. 6 is a flow diagram of one embodiment of a process for generating aprovisional signature for use in a server assisted signature scheme. Theprocess may be performed by processing logic that may comprise hardware(e.g., circuitry, dedicated logic, etc.), software (such as is run on ageneral purpose computer system or a dedicated machine), or acombination of both. In one embodiment, the processing logic is a partof the signer.

Referring to FIG. 6, the process begins by processing logic generatingthe value x_(i) by using its secret seed s₁ (processing block 601) andgenerates the value c_(i) by using its secret seed s₂ (processing block602). Next, processing logic finds an r_(i) such that that g^(m) ^(i)h_(i) ^(r) ^(i) =g^(x) ^(i) h_(i) ^(c) ^(i) (processing block 603) andoutputs r_(i) as the provisional signature of message m_(i) (processingblock 604).

FIG. 7 is a flow diagram of one embodiment of a process for completing aprovisional signature for a server assisted signature scheme. Theprocess may be performed by processing logic that may comprise hardware(e.g., circuitry, dedicated logic, etc.), software (such as is run on ageneral purpose computer system or a dedicated machine), or acombination of both. In one embodiment, the processing logic is part ofthe server.

Referring to FIG. 7, the process begins by processing logic receivingthe index i of the provisional signature r_(i) (processing block 701).Next, processing logic looks up and returns the corresponding values ofthe sequence of signatures Sig_(i)=Sig((g^(x) ^(i) h_(i) ^(c) ^(i),h_(i))) and h_(i) (processing block 702) and outputs the finalsignature (Sig((g^(x) ^(i) h_(i) ^(c) ^(i) ,h_(i))),h_(i),m_(i),r_(i))(processing block 703).

FIG. 8 is a flow diagram of one embodiment of a process for verifying afinal signature for a server assisted signature scheme. The process maybe performed by processing logic that may comprise hardware (e.g.,circuitry, dedicated logic, etc.), software (such as is run on a generalpurpose computer system or a dedicated machine), or a combination ofboth. In one embodiment, the processing logic is part of the verifier.

Referring to FIG. 8, the process begins by processing logic computingg^(m) ^(i) h_(i) ^(r) ^(i) (processing block 801) and verifying thesignatures by checking V_(PK)(Sig(g_(i)h_(i)))=1 (processing block 802).Next, processing logic accepts the signature as valid if and only if thecheck passes (processing block 803).

Alternatively, the server assisted signature scheme may be viewed aserver-assisted one-time signature scheme by using the “hash-sign-switchparadigm” to transform any underlying signature scheme secure againstexistential forgery under chosen message attack. It is assumed that anexisting signature scheme (Gen, Sig, Ver) is secure against existentialforgery under adaptive chosen message attack and that S signatures intotal are to be signed.

1. Key Generation: First generate a key pair PK_(sig) and SK_(sig) forthe underlying signature scheme. Then, using a PRG with seed s₁,generate a sequence of chameleon hash key pairs (SK_(ch) ^(i),PK_(ch)^(i)) for i from 1 to S. Finally, using PRG with seeds s₂ and s₃,generate two sequences of pseudo-random values v₁, . . . , v_(S) and w₁,. . . , w_(S). The variable c_(i) is defined such thatc_(i)=CH_(i)(w_(i), v_(i))—i.e., the chameleon hash of (w_(i), v_(i))under the chameleon hash key PK_(ch) ^(i). SK_(prov) consists of theseeds s₁ and s₂, while SK_(comp) consists of the values PK_(ch)^(i),Sig(c_(i),PK_(ch) ^(i)). The public key PK consists of PK_(sig) andthe address of the server.

2. ProvSign: On input (M, i) for the next value i, compute SK_(ch) ^(i)using s₁, v_(i) using s₂, and w_(i) using s₃. Then compute r_(i) suchthat CH_(i)(M, r_(i))=CH_(i)(v_(i), w_(i)). Return r_(i) as theprovisional signature on M. Mark the value i as used.

3. Complete: On input (±, i), return PK_(ch) ^(i) and Sig(c_(i),PK_(ch)^(i)). The final signature is then (M,r_(i),PK_(ch)^(i),Sig(c_(i),PK_(ch) ^(i))).

4. Verify: On input (M, r_(i), PK_(ch) ^(i),Sig(c_(i),PK_(ch) ^(i)),accept the signature as valid if and only ifVer(Sig(CH_(i)(M,r_(i)),PK_(ch) ^(i))=1

Note that the entire “secret key” for the Complete operation, SK_(comp),can be revealed without enabling an adversary to forge final signatures.Therefore, a server in this server-assisted signature scheme may beaggressively replicated. Furthermore, the server performs nocomputation, but simply returns static, read-only values PK_(ch) andSig(c, PK_(ch)).

In one embodiment, the system for communicating data between signer,verifier, and server for performing server assisted digital signaturescomprises a client component capable of creating provisional signatures,a server component capable of completing provisional signatures to yieldfinal signatures, and a verifier component capable of verifying finalsignatures.

In one embodiment, each of the signer, verifier and the server of animplementation of a server assisted signature scheme may be a hardwareapparatus (e.g., circuitry, dedicated logic, etc.), software apparatus(such as is run on a general purpose computer system or a dedicatedmachine), or a combination of both, capable of performing processinglogic. Each of these components may be implemented as the componentshown in FIG. 3. The server-assisted signer uses the external networkinterface to receive a request for a provisional signature and itsprocessor, which is coupled to the external network interface and thememory, to create the provisional signature and return the provisionalsignature via the external network to the requesting party. The serverassisted signature verifier component uses its external networkinterface to receive a final signature. The server assisted signatureserver component uses its external network interface to receive aprovisional signature and its processor, which is coupled to theexternal network interface and the memory, to transmit to the networkthe completed final signature for a server assisted signature scheme.

In one embodiment of a server-assisted signature scheme, the chameleonfunction CH(m, r)=g^(x)h^(r). In such a case, the signor storage needonly store the seed s, which is 128 bits in length, and a counter, whichis 20 bits in length, to represent the variable “i” used in thedescription below. Thus, the total signer storage is 148 bits,regardless of the number of signatures. Note that most previouspublic-key signature schemes, such as RSA, require much larger secretkey sizes. With respect to signor computation, the signer evaluates thePRG a constant number of times to obtain x_(i), and then performs O(log²q) operations to compute the provisional signature r_(i), where q is theorder of the group G. The signer need only communicate r_(i), which is160 bits. The server includes storage that, for each signature, storesh_(i) and Sig_(i). In this embodiment, the value h_(i) is 160 bits,while by using an appropriately short signature scheme, Sig_(i) can alsobe reduced to 320 bits or less. The server does not perform any on-linecomputation. Instead, the server simply retrieves the pair (h_(i),Sig_(i)) and returns it to the verifier. As far as verifier computationis concerned, the verifier must perform one elliptic curve pointmultiplication, and one ordinary signature verification.

An Example of a Designated Confirmer Scheme

The process of creating a provisional signature and completing theprovisional signature may be used for designated confirmer schemes. Anexample of such a scheme is given below.

FIG. 9 is a flow diagram of one embodiment of a process for generating akey for use in a designated confirmer signatures scheme. The process maybe performed by processing logic that may comprise hardware (e.g.,circuitry, dedicated logic, etc.), software (such as is run on a generalpurpose computer system or a dedicated machine), or a combination ofboth. In one embodiment, the processing logic is part of a signer ordesignated confirmer. Referring to FIG. 9, the process begins byprocessing logic creating a key pair PK_(S), SK_(S) for a standardsecure digital signature scheme (processing logic 901) and creating akey pair PK_(dc),SK_(dc) for a semantically secure public-key encryptionscheme (processing block 902). This is done in a manner well-known inthe art.

FIG. 10 is a flow diagram of one embodiment of a process for generatinga provisional signature for use with designated confirmer signatureschemes. The process may be performed by processing logic that maycomprise hardware (e.g., circuitry, dedicated logic, etc.), software(such as is run on a general purpose computer system or a dedicatedmachine), or a combination of both. In one embodiment, the processinglogic is part of the signer.

Referring to FIG. 10, the process begins by processing logic creating acommitment C(M, r) to the message M (processing block 1001) and signingthe commitment S=Sig(C(M, r)) (processing block 1002). Next, processinglogic outputs the provisional signature (M, S, E_(PK)(r)), where E is asemantically secure public-key encryption scheme (processing block1003).

FIG. 11 is a flow diagram of one embodiment of a process for confirminga provisional signature in a designated confirmer signature scheme. Theprocess may be performed by processing logic that may comprise hardware(e.g., circuitry, dedicated logic, etc.), software (such as is run on ageneral purpose computer system or a dedicated machine), or acombination of both. In one embodiment, the processing logic is part ofthe designated confirmer.

Referring to FIG. 11, the process begins by processing logic performinga zero-knowledge proof of knowledge of a value r, such that comm=C(M,r)where comm is a variable corresponding to the commitment correspondingto provisional signatures and M is the message that the signer hasallegedly signed (processing block 1101).

FIG. 12 is a flow diagram of one embodiment of a process for disavowinga provisional signature for designated confirmer signatures scheme. Theprocess may be performed by processing logic that may comprise hardware(e.g., circuitry, dedicated logic, etc.), software (such as is run on ageneral purpose computer system or a dedicated machine), or acombination of both. In one embodiment, the processing logic is part ofthe designated confirmer.

Referring to FIG. 12, the process begins by parsing the purportedsignature as (M,S,E_(PK dc)(r)) (processing block 1201). Then,processing logic decrypts (M, S, E_(PK dc)(r)) to recover r (processingblock 1202). Finally, processing logic performs a zero-knowledge proofof knowledge of an r and an M′ such that Ver(S)=1, C(M′, r)=S,D_(ch)(E_(ch)(r))=r) and M′≠M (processing block 1203).

In an alternative embodiment, processing logic sends additionalinformation to the verifier to convince the verifier (in zero-knowledge)that the claims message confirmer sends comm., S, and a zero knowledgeproof of knowledge of an r such that comm=C(M,r), where M is the messagethat the signer has allegedly signed. To verify that M was signed, theverifier checks the zero knowledge proof, and checks that S is a validsignature on comm.

FIG. 13 is a flow diagram of one embodiment of a process for completinga provisional signature in a designated confirmer signature scheme. Theprocess may be performed by processing logic that may comprise hardware(e.g., circuitry, dedicated logic, etc.), software (such as is run on ageneral purpose computer system or a dedicated machine), or acombination of both. In one embodiment, the processing logic is part ofthe designated conformer.

Referring to FIG. 13, the process begins by processing logic decryptingE_(pk)(r) to obtain r (processing block 1301). Next, processing logicoutputs (M, r, S) as the final signature on M (processing block 1302).

FIG. 14 is a flow diagram of one embodiment of a process for verifying afinal signature in a designated confirmer signature scheme. The processmay be performed by processing logic that may comprise hardware (e.g.,circuitry, dedicated logic, etc.), software (such as is run on a generalpurpose computer system or a dedicated machine), or a combination ofboth. In one embodiment, the processing logic is part of the verifier.

Referring to FIG. 14, the process begins by processing logic computesthe variable comm equal to C(M, r) (processing block 1401) and checksthat S is a valid signature under PK_(s), which is the public key of thesignature scheme (processing block 1402). Then, processing logic acceptsif and only if the check passes (processing block 1403).

In one embodiment, a system for communicating data between signer,verifier, and server for performing designated confirmer digitalsignatures includes a client component capable of creating provisionalsignatures, a server component capable of completing provisionalsignatures to yield final signatures, and a verifier component capableof verifying final signatures.

In one embodiment, each of the signer, verifier and the server in oneembodiment of an implementation of a designated confirmer signaturescheme may be a hardware apparatus (e.g., circuitry, dedicated logic,etc.), software apparatus (such as is run on a general purpose computersystem or a dedicated machine), or a combination of both, capable ofperforming processing logic. Each of these components may be implementedas the component shown in FIG. 3. The designated confirmer signer usesthe external network interface to receive a request for a provisionalsignature and its processor, which is coupled to the external networkinterface and the memory, to create the provisional signature and returnthe provisional signature via the external network to the requestingparty. The designated confirmer signature verifier component uses itsexternal network interface to receive a final signature. The designatedconfirmer signature server component uses its external network interfaceto receive a provisional signature and its processor, which is coupledto the external network interface and the memory, to transmit to thenetwork the completed final signature for a designated confirmersignature scheme.

Efficiently Realizing the Transformation

Using the transformation described herein, the step that may be the mostdifficult step to perform efficiently is the disavow protocol and theresulting zero-knowledge proof because it simply relies on the fact that“this designated confirmer signature is invalid” is an NP-statement thatcan be proven in zero knowledge.

Interestingly, the possibility that the ciphertext contained in thedesignated confirmer signature is not well-formed can be eliminated bymaking some assumptions about the underlying encryption scheme. Forexample, that a cryptosystem whose outputs is ciphertext-dense if allbut a negligible fraction of bit-strings are valid ciphertexts. If thedisavow protocol is run with a ciphertext-dense cryptosystem, thebitstring is an invalid ciphertext does not need to be proved.

In one embodiment, a ciphertext-dense public-key encryption scheme isconstructed from any trapdoor permutation family as follows. Let thepublic key be f: {0,1}^(k)→{0,1}^(k) and the private key be the inversef⁻¹. To encrypt a single bit b, pick x,r←_(R){0,1}^(k). The ciphertextis then (f(x), r, GL(x, r)⊕b), where GL is the Goldreich-Levinpredicate. It is easy to see that an adversary breaking the semanticsecurity of the scheme is a predictor for the Goldreich-Levin predicate,and so would contradict the one-wayness of f. Further, the symbol “,”means concatenation, every string of 2k+1 bits is a valid ciphertext.Alternatively, an encryption scheme can be used that provides randomnessrecovery. That is, given an encryption E_(pk)(m) which used randomnessr, the decryption includes the randomness r as well as m.

Efficient Instantiations Based on the N-th Residuousity Assumption

Essentially, Paillier encryption, which is well-known in the art, worksas follows. The recipient chooses a composite modulus N, whosefactorization it keeps secret. The recipient also publishes a numbergεZ/N²Z that generates a “sufficiently large” group modulo N²—e.g., agroup of order Nφ(N)/2. To encrypt m satisfying 0≦m≦N, the senderchooses a random rεZ/N²Z and sets the ciphertext c=r^(N)g^(m)(mod N²).To decrypt, the recipient essentially computes m=log_(g) c(mod N).Paillier encryption is semantically secure assuming the decisional N-thresiduosity problem is hard.

In one embodiment, an efficient designated confirm signature scheme isconstructed using any underlying signature scheme, in conjunction withsemantically secure Paillier encryption, as follows.

1) Key Generation: The signer creates a key pair (PK_(S); SK_(S)) forany standard secure digital signature scheme. The designated confirmergenerates a Paillier modulus N and a suitable generator g modulo N². Italso generates a certificate proving that N has the correct form.Finally, the designated confirmer may also provide the description of asecond group G₂ and a generator g₂εG₂ that has order N.

2) ProvSign(M):

a) The signer creates a commitment to the message m by generating arandom h₂εG₂ and a random rεZ/NZ, computing c=g₂ ^(r)h₂ ^(m)εG₂.

b) The signer creates S=Sig(c, h₂).

c) The signer creates a Paillier encryption of rεZ/NZ by generating arandom a εZ NZ setting r′=r+aN, and setting E_(N)(r)=g^(r′)(mod N²).

d) The provisional signature is (m, S, c, h₂, E_(N)(r)).

3) Confirm by Signer: The signer proves that its designated confirmersignature is correctly constructed by providing a zero-knowledge proofof knowledge of an r and an a such that E_(N)(r)=g^(r)(g^(N))^(a)(modN²) and c/h₂ ^(m)=g₂ ^(r). This can be performed using standardtechniques. Since the designated confirmer can recover r′(mod N) throughPaillier decryption, and since r′(mod N) completely revealslog_(g2)(c/h₂ ^(m)) (since G₂ has order N), the verifier is convinced bythis zero knowledge proof of knowledge that the designated confirmer can“extract” a conventional signature (m, S, h₂, r) from the designatedconfirmer signature. Notice that the proof of knowledge can be veryefficiently implemented.

4) Confirm by Designated Confirmer: To confirm, the designated confirmsimply provides the provisional signature and a zero knowledge proof ofknowledge of r=log_(g2)(c/h₂ ^(m)). It can easily recover r from thePaillier ciphertext.

5) Disavow: If the designated confirmer signature is badly formed,either S is not a valid signature on (c, h₂) (which is easilyverifiable), or that c/h₂ ^(m)≠g₂ ^(D) ^(N) ^((E) ^(N) ^((r))). In otherwords, if we set c′=c/h₂ ^(m), it must be the case that log_(g2)c′≠log(E_(N)(r))(mod N). To prove that this inequality holds, thedesignated confirmer first recovers d=log_(g) (E_(N)(r))(mod N) usingPaillier decryption. If x=φ(N) and y=dφ(N), then E_(N)(r)^(x)=g^(y) (modN²), but c′^(x)≠g₂ ^(y). The designated confirmer can provide a zeroknowledge proof of knowledge of these x and y using fairly standardtechniques. In particular, one can construct the usual three-round zeroknowledge proof by 1) having the confirmer choose values u,vεZ/NZ andsending (A, B)=(E_(N)(r)^(u)g^(v), c′^(u)g₂ ^(v)g^(v) to the verifier,2) having the verifier randomly choose a bit b E {0, 1}, 3) having theconfirmer send back values u′,v′εZ/NZ such thatE_(N)(r)^(u′)g^(v′)=c′^(u)g₂ ^(v)g₂ ^(v′)=B if b=0 or such thatE_(N)(r)^(u′)g^(v′)=A and c′^(u)g₂ ^(v′)≠B if b=1. In the last step, theconfirmer can generate such (u′,v′) by generating a random 0≠kεZ/N Z andsetting u′=u+bkx(mod N) and v′=v−bky(mod N).

The designated confirmer, since it decrypt the value of r, converts thedesignated confirmer signature into an “ordinary” signature that can beverified by anyone; this ordinary signature consists of (m, S, h₂, r),and a verifier checks that S is a valid signature on (c,h₂) for c=g₂^(r)h₂ ^(m). However, to prove the confirmer's security—i.e., to provethat malicious adversaries that interact with the designated confirmerwill be unable to eventually usurp the role of the confirmer and gainthe ability to convert designated confirmer signatures into signaturesverifiable by everyone—a semantically secure version of Paillierencryption does not seem to be sufficient.

However, it is a relatively simple matter to replace the semanticallysecure version above with an IND-CCA2 secure version of Paillierencryption described by Camenisch and Shoup. The zero knowledge proofsare essentially the same. The main difference is that, since theencryption scheme is IND-CCA2 secure, the confirmer can securely revealthe decryption of ciphertexts chosen by malicious adversaries, and thuscan securely extract an ordinary signature from a designated confirmersignature as described above.

An Example of a Blind Signature Scheme

FIG. 15 is a flow diagram of one embodiment of a process for generatinga key for a blind signatures scheme. The process may be performed byprocessing logic that may comprise hardware (e.g., circuitry, dedicatedlogic, etc.), software (such as is run on a general purpose computersystem or a dedicated machine), or a combination of both. In oneembodiment, the processing logic is part of the signer.

Referring to FIG. 15, the process begins by processing logic creating akey pair PK_(S), SK_(S) for a standard secure digital signature scheme(processing block 1501).

FIG. 16 is a flow diagram of one embodiment of a process for generatinga provisional signature for a blind signature scheme. The process isperformed by processing logic that may comprise hardware (e.g.,circuitry, dedicated logic, etc.), software (such as is run on a generalpurpose computer system or a dedicated machine), or a combination ofboth. In one embodiment, the processing logic is part of the blinder orsigner.

Referring to FIG. 16, the process begins by processing logic picking arandom value r and computes X=C(M, r) (processing block 1601). Next,processing logic sends X to the signer and performs a zero-knowledgeproof of knowledge of an r and M such that X=C(M,r) (processing block1602). If and only if the proof succeeds, then processing logic signs Xand returns Sig(X) (processing block 1603) and outputs the provisionalsignature on M as Sig(X)=Sig(C(M, r)) (processing block 1604).

FIG. 17 is a flow diagram of one embodiment of a process for completingprovisional signature for a blind signature scheme. The process may beperformed by processing logic that may comprise hardware (e.g.,circuitry, dedicated logic, etc.), software (such as is run on a generalpurpose computer system or a dedicated machine), or a combination ofboth. In one embodiment, the processing logic is part of the blinder.

Referring to FIG. 17, the process begins by processing logic generatinga new random value r′ (processing block 1701). Next, processing blockbegins by processing logic outputting the final signature on M as(C(Sig(C(M, r)), r′)) (processing block 1702).

FIG. 18 is a flow diagram of one embodiment of a process for verifying afinal signature for a blind signature scheme. The process may beperformed by processing logic that may comprise hardware (e.g.,circuitry, dedicated logic, etc.), software (such as is run on a generalpurpose computer system or a dedicated machine), or a combination ofboth. In one embodiment, the processing logic is part of the blinder ora signer.

Referring to FIG. 18, the process begins by processing logic performinga ZK proof of knowledge to the Verifier of r and r′ such that Sdecommits to the value Sig(C(M, r), Ver(Sig(C(M, r)))=1, and C(M, r)decommits to M (processing block 1801).

The above interactive proof can be rendered non-interactive using randomoracles via the “Fiat-Shamir heuristic.”

FIG. 19 is a flow diagram of one embodiment of a process for generatingpre-computed values for verification of a chameleon hash function. Theprocess may be performed by processing logic that may comprise hardware(e.g., circuitry, dedicated logic, etc.), software (such as is run on ageneral purpose computer system or a dedicated machine), or acombination of both. In one embodiment, the processing logic is part ofthe blinder or signer.

The problem may be set forth as given (G, g, y, x), where G is a groupof order q, where g, yεG, and xε[1, q], prove that g^(x)=y in G.Suppose, for convenience, that d log q(c_(max)+1) e=kd for some integerd, where c_(max) is the maximum value the challenge c can take, andwhere k is the integer parameter mentioned above.

Referring to FIG. 19, the process begins by processing logic, for afixed k, finding the values x_(i)εX, where X={ab: a=2^(kd′), 0≦d′<d,1≦b<2^(k)} (processing block 1901). Thereafter, processing logic definespre-computed values are defined as (x_(i),g^(x) ^(i) ) (processing block1902).

FIG. 20 is a flow diagram of one embodiment of a process for certifyingpre-computed values for verification of a chameleon hash function. Theprocess may be performed by processing logic that may comprise hardware(e.g., circuitry, dedicated logic, etc.), software (such as is run on ageneral purpose computer system or a dedicated machine), or acombination of both.

Referring to FIG. 20, the process begins by processing logic computing aMerkle tree on the values (x_(i),g^(x) ^(i) ) (processing block 2001).Next, processing logic outputs the output consists of the values h_(i)corresponding to the nodes of the Merkle tree, with h₀ as the root(processing block 2002).

FIG. 21 is a flow diagram of one embodiment of a process for verifyingpre-computed values for verification of a chameleon hash function. Theprocess may be performed by processing logic that may comprise hardware(e.g., circuitry, dedicated logic, etc.), software (such as is run on ageneral purpose computer system or a dedicated machine), or acombination of both. In one embodiment, the processing logic is theblinder or signer.

Referring to FIG. 21, processing logic gives the values (x,g^(x),h_(i) ₁, . . . , h_(i) _(n) ), and checks that the h_(i) form a validauthentication path for (x, g^(x)) (processing block 2101).

FIG. 22 is a flow diagram of one embodiment of a process for checking achameleon hash using pre-computed values for verification of a chameleonhash function. The process may be performed by processing logic that maycomprise hardware (e.g., circuitry, dedicated logic, etc.), software(such as is run on a general purpose computer system or a dedicatedmachine), or a combination of both.

Referring to FIG. 22, the process begins by processing logic givingpre-computed values ((y1, g^(y1)), . . . , (y_(n), g^(yn)) withauthentication paths for each value, and a claimed (x, g^(x)), andverifies pre-computed values (processing block 2201). Next, processinglogic checks Σy_(i)=x (processing block 2202). Thereafter, processinglogic checks that Σg^(y) ^(i) =g^(x) (processing block 2203). Processinglogic accepts the chameleon hash function if and only if all checks pass(processing block 2204).

In one embodiment, the system for communicating data between signer,verifier, and server includes a client component capable of creatingprovisional signatures, a server component capable of completingprovisional signatures to yield final signatures, and a verifiercomponent capable of verifying final signatures.

In one embodiment, each of the signer, verifier and the server of animplementation of a blind signature scheme may be a hardware apparatus(e.g., circuitry, dedicated logic, etc.), software apparatus (such as isrun on a general purpose computer system or a dedicated machine), or acombination of both, capable of performing processing logic. Each ofthese components may be implemented as the component shown in FIG. 3.The designated confirmer signer uses the external network interface toreceive a request for a provisional signature and its processor, whichis coupled to the external network interface and the memory, to createthe provisional signature and return the provisional signature via theexternal network to the requesting party. The blind signature verifiercomponent uses its external network interface to receive a finalsignature. The blind signature server component uses its externalnetwork interface to receive a provisional signature and its processor,which is coupled to the external network interface and the memory, totransmit to the network the completed final signature for a blindsignature scheme.

An Exemplary Computer System

FIG. 4 is a block diagram of an exemplary computer system that mayperform one or more of the operations described herein. Referring toFIG. 4, the computer system may comprise an exemplary client or servercomputer system. The computer system comprises a communication mechanismor bus for communicating information, and a processor coupled with a busfor processing information. The processor includes a microprocessor, butis not limited to a microprocessor, such as, for example, Pentium,PowerPC, Alpha, etc.

The system further comprises a random access memory (RAM), or otherdynamic storage device (referred to as main memory) coupled to the busfor storing information and instructions to be executed by theprocessor. Main memory also may be used for storing temporary variablesor other intermediate information during execution of instructions bythe processor.

The computer system also comprises a read only memory (ROM) and/or otherstatic storage device coupled to the bus for storing static informationand instructions for the processor, and a data storage device, such as amagnetic disk or optical disk and its corresponding disk drive. The datastorage device is coupled to the bus for storing information andinstructions.

The computer system may further be coupled to a display device, such asa cathode ray tube (CRT) or liquid crystal display (LCD), coupled to thebus for displaying information to a computer user. An alphanumeric inputdevice, including alphanumeric and other keys, may also be coupled tothe bus for communicating information and command selections to theprocessor. An additional user input device is cursor control, such as amouse, trackball, trackpad, stylus, or cursor direction keys, coupled tothe bus for communicating direction information and command selectionsto the processor, and for controlling cursor movement on the display.

Another device that may be coupled to the bus is a hard copy device,which may be used for printing instructions, data, or other informationon a medium such as paper, film, or similar types of media. Furthermore,a sound recording and playback device, such as a speaker and/ormicrophone may optionally be coupled to the bus for audio interfacingwith the computer system. Another device that may be coupled to the busis a wired/wireless communication capability to communication to a phoneor handheld palm device.

Note that any or all of the components of the system and associatedhardware may be used in the present invention. However, it can beappreciated that other configurations of the computer system may includesome or all of the devices.

Whereas many alterations and modifications of the present invention willno doubt become apparent to a person of ordinary skill in the art afterhaving read the foregoing description, it is to be understood that anyparticular embodiment shown and described by way of illustration is inno way intended to be considered limiting.

Whereas many alterations and modifications of the present invention willno doubt become apparent to a person of ordinary skill in the art afterhaving read the foregoing description, it is to be understood that anyparticular embodiment shown and described by way of illustration is inno way intended to be considered limiting. Therefore, references todetails of various embodiments are not intended to limit the scope ofthe claims which in themselves recite only those features regarded asessential to the invention.

1. A method comprising: creating a provisional signature by performingan operation on a message, wherein creating the provisional signaturecomprises creating a commitment C(M, r) to the message, where Mrepresents the message and r is a random string, creating a S=Sig(C(M,r)), where Sig(C(M, r)) represents the signing of the commitment C(M,r), and outputting (M, S, E_(pk)(r)) as the provisional signature, whereE is a semantically secure public-key encryption scheme; and completingthe provisional signature to create a final signature on the message. 2.The method defined in claim 1 further comprising confirming theprovisional signature.
 3. The method defined in claim 2 whereinconfirming the provisional signature comprises performing azero-knowledge proof of knowledge of a value r such that Ver(S) equals 1and the commitment Sig(C(M, r)) equals S, where M represents themessage, r is a random string, and S represents the signing of thecommitment C(M, r).
 4. The method defined in claim 1 further comprisingdisavowing the provisional signature.
 5. The method defined in claim 4wherein disavowing the provisional signature comprises performing azero-knowledge proof of knowledge of an r and an M′ such that Ver(S)equals 1, the commitment C(M′, r) equals S, D_(ch)(E_(ch)(r)) equals rand M′≠M
 6. A method comprising: generating a provisional signature bycreating a commitment C(M, r) to the message, where M represents themessage and r is a random string, creating a S equal to Sig(C(M, r)),where Sig(C(M, r)) represents the signing of the commitment C(M, r), andoutputting (M, S, E_(pk)(r)) as the provisional signature, where E is asemantically secure public-key encryption scheme; and transmitting theprovisional signature to a verifier via a network.
 7. An apparatuscomprising: a processor to generate a provisional signature by creatinga commitment C(M, r) to the message, where M represents the message andr is a random string, creating a S equal to Sig(C(M, r)), where Sig(C(M,r)) represents the signing of the commitment C(M, r), and outputting (M,S, Epk(r)) as the provisional signature, where E is a semanticallysecure public-key encryption scheme; and a network interface coupled tothe processor to transmit the provisional signature to a verifier via anetwork.